ALT-PU-2025-4505-3

BDU:2025-02321

MEDIUM4.3

Уязвимость виртуальной обучающей среды Moodle, связанная с недостатками контроля доступа, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2025-03-05Modified: 2025-09-30

CVSS 3.xMEDIUM 4.3

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N

References

CVE-2025-26531

BDU:2025-02322

MEDIUM4.7

Уязвимость виртуальной обучающей среды Moodle, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю получить провести атаку межсайтового скриптинга (XSS)

Published: 2025-03-05Modified: 2025-03-19

CVSS 3.xMEDIUM 4.7

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

References

CVE-2025-26528

BDU:2025-02323

HIGH7.5

Уязвимость виртуальной обучающей среды Moodle, связанная с недостаточной защитой служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2025-03-05Modified: 2025-03-19

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N

References

CVE-2025-26525

BDU:2025-02324

MEDIUM6.5

Уязвимость виртуальной обучающей среды Moodle, связанная с недостатками контроля доступа, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2025-03-05Modified: 2025-03-19

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CVSS 2.0MEDIUM 6.4

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:P

References

CVE-2025-26526

BDU:2025-02325

CRITICAL9.8

Уязвимость виртуальной обучающей среды Moodle, связанная с непринятием мер по защите структуры запроса SQL, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2025-03-05Modified: 2025-09-30

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2025-26533

BDU:2025-02326

MEDIUM4.3

Уязвимость виртуальной обучающей среды Moodle, связанная с недостаточной защитой служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2025-03-05Modified: 2025-03-19

CVSS 3.xMEDIUM 4.3

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

References

CVE-2025-26527

BDU:2025-02327

MEDIUM4.7

Уязвимость виртуальной обучающей среды Moodle, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю получить провести атаку межсайтового скриптинга (XSS)

Published: 2025-03-05Modified: 2025-03-19

CVSS 3.xMEDIUM 4.7

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

References

CVE-2025-26530

BDU:2025-02328

MEDIUM4.3

Уязвимость виртуальной обучающей среды Moodle, связанная с недостатками контроля доступа, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2025-03-05Modified: 2025-09-30

CVSS 3.xMEDIUM 4.3

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N

References

CVE-2025-26532

BDU:2025-02329

MEDIUM4.7

Уязвимость виртуальной обучающей среды Moodle, связанная с непринятием мер по защите структуры веб-страницы, позволяющая нарушителю получить провести атаку межсайтового скриптинга (XSS)

Published: 2025-03-05Modified: 2025-04-11

CVSS 3.xMEDIUM 4.7

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

References

CVE-2025-26529

BDU:2025-04328

CRITICAL10.0

Уязвимость функции s.contexts._.configure библиотеки для загрузки модулей JavaScript RequireJS, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании

Published: 2025-04-14

CVSS 3.xCRITICAL 10.0

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2024-38999

BDU:2025-06112

MEDIUM5.3

Уязвимость компонента Grade Report Handler виртуальной обучающей среды Moodle, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2025-05-29

CVSS 3.xMEDIUM 5.3

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS 2.0MEDIUM 5.0

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N

References

CVE-2025-32045

BDU:2025-06871

HIGH7.5

Уязвимость виртуальной обучающей среды Moodle, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2025-06-18

CVSS 3.xHIGH 7.5

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 2.0HIGH 7.8

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N

References

CVE-2025-32044

CVE-2024-38999

CRITICAL10.0

jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Published: 2024-07-01Modified: 2026-04-15

CVSS 3.xCRITICAL 10.0

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

CVE-2025-26525

HIGH8.6

Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).

Published: 2025-02-24Modified: 2025-08-08

CVSS 3.xHIGH 8.6

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

CVE-2025-26526

MEDIUM6.5

Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.

Published: 2025-02-24Modified: 2025-08-08

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

CVE-2025-26527

MEDIUM5.3

Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.

Published: 2025-02-24Modified: 2025-08-08

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

CVE-2025-26528

MEDIUM6.1

The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.

Published: 2025-02-24Modified: 2025-08-08

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2025-26529

MEDIUM6.1

Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.

Published: 2025-02-24Modified: 2025-08-08

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2025-26530

MEDIUM6.1

The question bank filter required additional sanitizing to prevent a reflected XSS risk.

Published: 2025-02-24Modified: 2025-08-11

CVSS 3.xMEDIUM 6.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

CVE-2025-26531

MEDIUM5.3

Insufficient capability checks made it possible to disable badges a user does not have permission to access.

Published: 2025-02-24Modified: 2025-08-07

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

CVE-2025-26532

MEDIUM4.3

Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.

Published: 2025-02-24Modified: 2025-08-06

CVSS 3.xMEDIUM 4.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

CVE-2025-26533

CRITICAL9.8

An SQL injection risk was identified in the module list filter within course search.

Published: 2025-02-24Modified: 2025-08-06

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

CVE-2025-32044

HIGH7.5

A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces returned by specific API calls. Sites with PHP configured with zend.exception_ignore_args = 1 in the php.ini file are not affected by this vulnerability.

Published: 2025-04-25Modified: 2025-06-24

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

CVE-2025-32045

MEDIUM5.3

A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades.

Published: 2025-04-25Modified: 2025-06-24

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

GHSA-345q-9jmq-g9q4

HIGH7.5

Moodle allows unauthenticated REST API user data exposure

Published: 2025-04-25Modified: 2025-04-25

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

GHSA-4hmr-39vp-xfrr

HIGH8.6

Moodle has an arbitrary file read risk through pdfTeX

Published: 2025-02-25Modified: 2025-02-25

CVSS 3.xHIGH 8.6

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

GHSA-4w32-c9g7-27qx

HIGH8.3

Moodle allows reflected XSS via question bank filter

Published: 2025-02-25Modified: 2025-02-25

CVSS 3.xHIGH 8.3

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

GHSA-5r85-6h7f-rg3r

MEDIUM5.3

Moodle's non-searchable tags can still be discovered on the tag search page and in the tags block

Published: 2025-02-25Modified: 2025-02-25

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

GHSA-8m7c-hm88-2p97

MEDIUM5.3

Moodle shows hidden grades to users without permission on some grade reports

Published: 2025-04-25Modified: 2025-04-25

CVSS 3.xMEDIUM 5.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

GHSA-cw24-f6fq-7j9v

LOW3.1

Moodle allows teachers to evade trusttext config when restoring glossary entries

Published: 2025-02-25Modified: 2025-02-25

CVSS 3.xLOW 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

References

GHSA-g88w-v4cq-qgcp

LOW3.1

Moodle has an IDOR in badges allows disabling of arbitrary badges

Published: 2025-02-25Modified: 2025-02-25

CVSS 3.xLOW 3.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

References

GHSA-h697-w4ph-7pcx

LOW3.4

Moodle has a stored XSS in ddimageortext question type

Published: 2025-02-25Modified: 2025-02-25

CVSS 3.xLOW 3.4

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N

References

GHSA-pxg4-xjp7-w9c5

MEDIUM6.5

Moodle's feedback response viewing and deletions did not respect Separate Groups mode

Published: 2025-02-25Modified: 2025-02-25

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

GHSA-rg56-94j7-hjx9

HIGH8.1

Moodle has a SQL injection risk in course search module list filter

Published: 2025-02-25Modified: 2025-05-08

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

GHSA-wr88-x8cm-7cgq

HIGH8.3

Moodle has a stored XSS risk in admin live log

Published: 2025-02-25Modified: 2025-02-25

CVSS 3.xHIGH 8.3

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

References

GHSA-x3m3-4wpv-5vgc

HIGH8.9

jrburke requirejs vulnerable to prototype pollution

Published: 2024-07-01Modified: 2024-07-25

CVSS 3.xHIGH 8.9

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS 4.0HIGH 8.9

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

Package update moodle in branch sisyphus

Closed issues (36)

Уязвимость функции s.contexts._.configure библиотеки для загрузки модулей JavaScript RequireJS, позволяющая нарушителю выполнить произвольный код или вызвать отказ в обслуживании

Уязвимость компонента Grade Report Handler виртуальной обучающей среды Moodle, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Уязвимость виртуальной обучающей среды Moodle, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts._.configure. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.

Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).

Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.

Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.

The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.

Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.

The question bank filter required additional sanitizing to prevent a reflected XSS risk.

Insufficient capability checks made it possible to disable badges a user does not have permission to access.

Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.

An SQL injection risk was identified in the module list filter within course search.

A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades.

Moodle allows unauthenticated REST API user data exposure

Moodle has an arbitrary file read risk through pdfTeX

Moodle allows reflected XSS via question bank filter

Moodle's non-searchable tags can still be discovered on the tag search page and in the tags block

Moodle shows hidden grades to users without permission on some grade reports

Moodle allows teachers to evade trusttext config when restoring glossary entries

Moodle has an IDOR in badges allows disabling of arbitrary badges

Moodle has a stored XSS in ddimageortext question type

Moodle's feedback response viewing and deletions did not respect Separate Groups mode

Moodle has a SQL injection risk in course search module list filter

Moodle has a stored XSS risk in admin live log

jrburke requirejs vulnerable to prototype pollution